It would have been incredibly hard not to hear something this week about the ongoing DDoS attacks against banks.  Many of the statements both this week and the previous weeks are consistent to: Distributed Denial of Service doesn’t mean that customer data is at risk. Banks should do a better job explaining this to customers. For me, these sound bytes somewhat miss the point. The security triad is Confidentiality, Integrity and Availability. The whole point of a Distributed Denial of Service (DDoS) is to remove Availability.

In an era where online banking and bill pay have become more prevalent, this actually does have the potential to cause real harm to customers. When trying to define the attributes of information security, the standard is Confidentiality, Integrity and Availability. I’ll use the SANS Glossary definition here:

Availability is the need to ensure that the business purpose of the system can be met and that it is accessible to those who need to use it.

If you need to pay your’ monthly housing bill; and can’t access your online payment system; it could be a problem. Sure, if you’re old school enough, you have physical paper checks lying around so you could make one of those out; or you could actually go to a branch and get a money order or bankers check – but if you’re young enough you may not actually know these things. If you’re older, you may not have time without failing your other commitments. Regardless, your preferred method of interacting with your money is unavailable.

Solving an availability problem isn’t easy however. If the attacker isn’t convenient enough to send all the requests from the same IP or block of IPs, or domain / domains – how do you filter legitimate requests from poor ones? It’s like trying to make out the few sane voices in a screaming mob. The alternate solution is usually to have so much overflow that you can handle all the requests; but this particular DDoS apparently has so much traffic that it’s not feasible to just pass all that additional traffic around.

Typical recommendations about Denial of Service or Distributed DoS attacks tends to focus on filtering out “easy” attacks, hardening the system, building fault tolerance into your configurations and planning for more capacity, through hot spares, or alternate systems. The volume and sophistication of the current attacks seems to be effective against these, based on it’s success in the banking sector; who also had warning this was coming.

Once we rule out that the existing guidance doesn’t appear to be sufficient, that still leaves a real problem. There are some real technical problems that can’t be easily solved today being surfaced as part of this attack. Maybe this is an argument for white listing; because if banks knew only to accept traffic from validated sources, it would be a lot harder to create this kind of extreme scale DDoS traffic on the second half of the connection (although it still requires all the initiation of connection work). Or maybe better multi-factor authentication – all inbound traffic is ignored until a second factor (something you are, have or know) is entered. Maybe groups should be able to share all the instant on redundancy / fail-over they have when it’s something targeted at a vertical. Or maybe, as with so many security problems, defense in depth is to start utilizing all three in some way.  Either way, this is a conversation that would be good to have in the public eye. How we, as customers, can have more availability to our necessary resources; and what additional responsibilities we and the banks have to enable this.

Image courtesy of Abode of Chaos

Categories IT Security and Data Protection, , , , Risk-Based Security for Executives, , , IT Security and Data Protection, , IT Security and Data Protection,

Tags , , , , ,

SANS Endpoint Security Maturity Model
  • Jack

    I'm afraid you've missed the point a little here….these DDoS attacks were not for the "Lolz", not for giggles nor political gain.

    These were bank heists…..big dirty bank heists. Some were probing missions, checking how fast and hard a bank could react to an attack. Timing responses, plotting and mapping response solutions and defense solutions.

    Some were full on attacks, with attackers covering their tracks by taking out the whole system to give them a head start towards the sunset before the banks even knew they were robbed.
    This was seen the in "dirtjumper" attacks of 2011:

    "The dirtjumper attackers were ambitious cybercriminals who generally operated Zeus botnets. If they were able to steal money via wire or ACH from a bank, usually a million dollars or more, they paid the operators of the dirtjumper botnet to take the bank web servers down. This had two benefits and one major drawback for the fraudsters. One advantage was that bank antifraud detection methods were paralyzed as everyone was focused on getting the bank up and running. The other benefit was the victim was unable to login to the site and see their money was missing. The main downside was once the pattern was identified, banks learned that the moment they were hit with a DDoS attack, they had likely experienced a major fraud event and should freeze and review large money movements. Cybercriminals are piggy-backing on the current attacks just like looters after a natural disaster, but do not seem to be the prime movers.

    Heres what others have been reporting:

    "Gartner's Avivah Litan told Government Info Security that she had anecdotal accounts of fraud slipping through banks' overloaded call centers while the online channels are under attack"

    "We are assuming that the attackers are doing this to perpetrate fraud," Mike Smith, a security evangelist with online security provider Akamai Technologies, told Bank Info Security. Smith was specifically referring to the fact that Capital One was targeted for a second time, which may mean that attackers are looking for different ways to try to compromise employees and get access to customer accounts.

    • Shawna Turner-Rice

      I believe you are right in some cases. I didn't specifically talk to that, because we may have more than one threat actor here. Based on the limited confirmed data we have at this time, it appears that the people using the Gozi trojan are a different group than the attackers with the 'itsoknoproblembro" bots. There haven't been any reported fraud associated with the DDoS attacks against the US banks that were targeted by the Qassam Cyber Fighters over the last 5 weeks. That doesn't in any way rule out other threat actors doing a copycat DDoS for a different goal; or that more information will come out later to indicate that you were spot on. Just that we don't have that confirmation at this time.

    • Shawna Turner-Rice

      Starting to see assertions that there is no relationship between the Gozi Prinimalka and the ongoing DDoS attacks.

      Connection to DDoS Hits?

      KITTEN: Do you think there is any connection with the denial-of-service attacks targeted at leading U.S. institutions recently?

      AHUVIA: There is almost certainly no connection whatsoever
      between the two. Different sources report different motives behind the
      DDoS attacks that have been online. Most of them seem to be emanating
      from the Middle East, but this is really something completely different.
      This is an announcement that was made by a Russian-speaking gang, and
      really the financial incentive here is unequivocal. There is no doubt
      that this gang is out there to make money. There is no ideological
      scheme here. They are looking into targeting American banks and exploit
      the fact that banks in the U.S. do not use two-factor authentication, as
      I mentioned. Also, we've seen that the same banks have been targeted by
      this gang, by the Prinimalka Trojan, for the past two years, so they
      are familiar with these banks. They know how to cash them out,
      apparently, or at least they think they do. And I really think there is
      absolutely no connection between the two.

Previous Contributors

View all posts by Previous Contributors >